This just shows that Google is a joke when it comes to security. So if I understood correctly, if these infostealers manage to steal certain information included in cookies like account ID's and tokens, they can keep getting access to accounts, no matter if passwords are changed? And I guess this will even bypass hardware security keys, what a joke!
And Google is forcing passkeys, which are even worse. Edge forced a passkey for MSA and now I am logged 24/7 without cookies, without 2FA, previously I got at least Windows Hello prompt and they call it an improved security?!
Google is downplaying this threat (see quote), they say you can always sign out those unrecognized devices, which I guess is true. But wasn't the problem that hackers can keep creating cookies that allow them to sign in again and again? https://www.androidpolice.com/dangerous-malware-cookies-breaks-google-accounts/
Indeed, but they currently have no solution, no workaround, so they pretend that everything is OK to avoid the panic. Not like people would panic, they do not even know, what cookies are, but media would go nuts.
